From owner-freebsd-ports@freebsd.org  Wed Aug  5 22:07:05 2015
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02CB89B494E
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Wed,  5 Aug 2015 22:07:05 +0000 (UTC)
 (envelope-from kob6558@gmail.com)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com
 [IPv6:2607:f8b0:4003:c06::235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id BD18B2E9;
 Wed,  5 Aug 2015 22:07:04 +0000 (UTC)
 (envelope-from kob6558@gmail.com)
Received: by oigu206 with SMTP id u206so17227698oig.3;
 Wed, 05 Aug 2015 15:07:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=5mfjeng/YdTRBI7LxTUkmQJUVVed7pvtMFm3WHLmRMg=;
 b=mM9W1UXHjkuzmrhco0FHSSxZ1UQVcQmHbnQEdM6YILTUgGqvL18QMIjEI397jzHChY
 xjdD41aUZBK2T/DWeNdw3ehAumWCg8WpYDTmnbM5Xln5ZU3FpRilAnfBcQV3OYEyU5r/
 wSfXWz4vF4zQr0TFSNzbaBbXrOh3Fo1nIJ1fsLC46qpmTyBbGM56F/PcO4bwqWnqI8iT
 D1n8BMgAPsq0LO0GPnlcsdfQaITncotwuv9hY1aH4hJ7SA1+/7pC6+gKLvTKK5yDGzCh
 fPX6yKj60ua1bJ8pgOz5zTgd2Kl1eOtg9O3kHYWZUsWU+ZZe6XhM5nTTo6laRKCy9ASS
 1aWQ==
MIME-Version: 1.0
X-Received: by 10.202.169.215 with SMTP id s206mr9764906oie.71.1438812424092; 
 Wed, 05 Aug 2015 15:07:04 -0700 (PDT)
Sender: kob6558@gmail.com
Received: by 10.202.221.69 with HTTP; Wed, 5 Aug 2015 15:07:04 -0700 (PDT)
In-Reply-To: <C5D69B70-A95D-4371-A8F8-5C8ED5E1CCA3@FreeBSD.org>
References: <CAN6yY1tez0Zhwt1mo4XdrinZ2OkyFH1U-Ew2VAv+WH=4YVv9=g@mail.gmail.com>
 <C5D69B70-A95D-4371-A8F8-5C8ED5E1CCA3@FreeBSD.org>
Date: Wed, 5 Aug 2015 15:07:04 -0700
X-Google-Sender-Auth: qO7VAMx8L2Xcbdpqcuhj1o9xFFc
Message-ID: <CAN6yY1tv6i3idwBg3WTOr7aBXAAeSMnT-7SmRBPSYTCXP9O=LQ@mail.gmail.com>
Subject: Re: Unable to relocate to new svn URL
From: Kevin Oberman <rkoberman@gmail.com>
To: Dimitry Andric <dim@freebsd.org>
Cc: Peter Wemm <peter@wemm.org>, FreeBSD Ports ML <freebsd-ports@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 22:07:05 -0000

On Wed, Aug 5, 2015 at 1:21 PM, Dimitry Andric <dim@freebsd.org> wrote:

> On 05 Aug 2015, at 22:05, Kevin Oberman <rkoberman@gmail.com> wrote:
> >
> > Today I decided to relocate my ports source from the old specific mirror
> to
> > the new svn.freebsd.org. Seemed like just one easy command, but not
> quite.
> >
> > First, if subversion is built with the default options, it will refuse to
> > do https:// with the confusing message that the URL format was not
> > recognized. I checked and my svn was notbuilt with SASL. SASL is not on
> by
> > default. So I rebuilt subversion and now it likes the command, but won't
> > accept the certificate:
> > Error validating server certificate for 'https://svn.freebsd.org:443':
> > - The certificate is not issued by a trusted authority. Use the
> >   fingerprint to validate the certificate manually!
> > Certificate information:
> > - Hostname: svn.freebsd.org
> > - Valid: from Jun 22 00:00:00 2015 GMT until Jun 22 23:59:59 2016 GMT
> > - Issuer: Gandi, Paris, Paris, FR
> > - Fingerprint:
> E9:37:73:80:B5:32:1B:93:92:94:98:17:59:F0:FA:A2:5F:1E:DE:B9
> > (R)eject, accept (t)emporarily or accept (p)ermanently?
> >
> > Indeed, it does not appear that Gandi is on the certificate.txt. file
> > installed by ca_root_nss.
>
> Not directly, the Gandi Standard SSL CA 2 certificate is issued by the
> following root CA:
>
> Serial Number: 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
> Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network,
> CN=USERTrust RSA Certification Authority
>
>
> > Is this a problem with the ca_root_nss port, the certificate, of is
> > something hacked? Clearly, I am not about to trust the certificate as it
> > now stands.
>
> Which version of ca_root_nss do you have?  Mine is 3.19.1_1, and it
> definitely has the above root CA in /etc/ssl/cert.pem.
>
> -Dimitry
>

Thanks for the quick response! I'm still confused, though.

I have 3.19.2, so it is just a bit newer. But I don't have
/etc/ssl/cert.pem. The root certs are installed in
/usr/local/share/certs/ca-root-nss.crt. Is something required to get them
into /etc/ssl? I confirm that the fingerprints match.

Also, the handbook needs a bit of work. It shows the use of svn.freebsd.org,
but the text just prior to the example still talks about " the western US
repository". Later text discuses the GeoDNS and svn.frebsd.org. (Yes, this
is nit-picking.)

Any idea why my use of SVN is complaining? Now that I have verified the
fingerprint, I can go on and accept the cert, but why is this happening and
will it bite others?
--
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683